ScreenShot
| Created | 2021.03.17 23:23 | Machine | s1_win7_x6401 |
| Filename | 26a5.txt | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 54 detected (AIDetect, malware1, malicious, high confidence, Zusy, FickerRI, S18569813, Unsafe, GenKryptik, Conti, TrojanPSW, ZexaF, Mq3@aimOq, FAMQ, BotX, Ficker, ijfdwk, Gencirc, Nekark, byhxj, R002C0PBB21, GenericRXNL, Static AI, Suspicious PE, score, ai score=81, FickerStealer, CLOUD, xeOSHRGpLAs, Krypt, confidence, 100%, HwgANU4A) | ||
| md5 | 1bf3028a0b65a4174a66f3677e872026 | ||
| sha256 | 619393d5caf08cf12e3e447e71b139a064978216122e40f769ac8838a7edfca4 | ||
| ssdeep | 12288:nTcqwHtDnDnP5qLKRKd7LE8M/vBD4pa1OWxd1Ysblvd6Q3kW7743kG1isitWi:nTcqwHtDnDnP5qLKRKBL3uvd4TWf1Ys3 | ||
| imphash | 4e8e4d8a3da06a604f10a17bf079b7ac | ||
| impfuzzy | 24:iDoVYHs2QqEuOovbOZyvtl2TM+dgvTR8A:dYH03uiQ+dgvV8A | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Yara rule detected in process memory |
| info | This executable has a PDB path |
Rules (49cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x490000 GetLocalTime
0x490004 GetProcAddress
0x490008 LoadLibraryExW
0x49000c GetModuleHandleA
0x490010 GetStartupInfoW
0x490014 GetVersionExA
0x490018 HeapAlloc
0x49001c RaiseException
0x490020 ExitProcess
0x490024 TerminateProcess
0x490028 GetCurrentProcess
0x49002c WriteFile
0x490030 GetStdHandle
0x490034 GetModuleFileNameA
0x490038 UnhandledExceptionFilter
0x49003c GetModuleFileNameW
0x490040 FreeEnvironmentStringsA
0x490044 MultiByteToWideChar
0x490048 GetEnvironmentStrings
0x49004c FreeEnvironmentStringsW
0x490050 GetLastError
0x490054 GetEnvironmentStringsW
0x490058 GetCommandLineA
0x49005c GetCommandLineW
0x490060 SetHandleCount
0x490064 GetFileType
0x490068 GetStartupInfoA
0x49006c HeapDestroy
0x490070 HeapCreate
0x490074 VirtualFree
0x490078 HeapFree
0x49007c VirtualAlloc
0x490080 HeapReAlloc
0x490084 HeapSize
0x490088 SetUnhandledExceptionFilter
0x49008c LoadLibraryA
0x490090 RtlUnwind
0x490094 InterlockedExchange
0x490098 VirtualQuery
0x49009c IsBadCodePtr
0x4900a0 QueryPerformanceCounter
0x4900a4 GetTickCount
0x4900a8 GetCurrentThreadId
0x4900ac GetCurrentProcessId
0x4900b0 GetSystemTimeAsFileTime
EAT(Export Address Table) is none
KERNEL32.dll
0x490000 GetLocalTime
0x490004 GetProcAddress
0x490008 LoadLibraryExW
0x49000c GetModuleHandleA
0x490010 GetStartupInfoW
0x490014 GetVersionExA
0x490018 HeapAlloc
0x49001c RaiseException
0x490020 ExitProcess
0x490024 TerminateProcess
0x490028 GetCurrentProcess
0x49002c WriteFile
0x490030 GetStdHandle
0x490034 GetModuleFileNameA
0x490038 UnhandledExceptionFilter
0x49003c GetModuleFileNameW
0x490040 FreeEnvironmentStringsA
0x490044 MultiByteToWideChar
0x490048 GetEnvironmentStrings
0x49004c FreeEnvironmentStringsW
0x490050 GetLastError
0x490054 GetEnvironmentStringsW
0x490058 GetCommandLineA
0x49005c GetCommandLineW
0x490060 SetHandleCount
0x490064 GetFileType
0x490068 GetStartupInfoA
0x49006c HeapDestroy
0x490070 HeapCreate
0x490074 VirtualFree
0x490078 HeapFree
0x49007c VirtualAlloc
0x490080 HeapReAlloc
0x490084 HeapSize
0x490088 SetUnhandledExceptionFilter
0x49008c LoadLibraryA
0x490090 RtlUnwind
0x490094 InterlockedExchange
0x490098 VirtualQuery
0x49009c IsBadCodePtr
0x4900a0 QueryPerformanceCounter
0x4900a4 GetTickCount
0x4900a8 GetCurrentThreadId
0x4900ac GetCurrentProcessId
0x4900b0 GetSystemTimeAsFileTime
EAT(Export Address Table) is none